Validate download signature?

ryansch

The CLI download comes with a .sig file. How would I use that to validate the download?

---

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

cohix

Hey @ryansch you can see those instructions in our getting started guide: https://support.1password.com/command-line-getting-started/#set-up-the-command-line-tool

ryansch

Perfect! Thanks @cohix.

cohix

Any time!

ryansch

@cohix keybase pgp verify -d op.sig -i op -S 1password might be an even better verification command

cohix

Cool, we'll look into it :)

Claudi

@ryansch Great alternative! UX-wise, the keybase command line is a step forward. Its output has a much clearer wording, which makes it much less fear-inducing to users who are not crypto experts.

That said, the gpg variant may still remain useful. Some users may prefer not to join Keybase, not to install their software, or not to trust yet another party in the chain.

cohix

Yes, we considered the keybase tools, but we decided that asking users to join keybase just to validate our signatures was ridiculous. GPG should suffice for most people.

pervel

@cohix: keybase actually works without logging in. But the command needs to have the keybase GUI running which isn't ideal if you use the command infrequently.

cohix

Ah okay I understand. Thanks for the heads up.